[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106790: marked as done (bookworm-pu: package mydumper/0.10.1-1+deb12u2)

Your message dated Sat, 10 Jan 2026 11:59:46 +0000
with message-id <E1veXdC-00000004SKL-0j5D@coccia.debian.org>
and subject line Released with 12.13
has caused the Debian Bug report #1106790,
regarding bookworm-pu: package mydumper/0.10.1-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1106790: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106790
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: mydumper@packages.debian.org, debian@rocketjump.eu
Control: affects -1 + src:mydumper
User: release.debian.org@packages.debian.org
Usertags: pu

This is a targeted fix for CVE-2025-30224. I have not been able to reproduce the
issue with the provided PoC against mysql-server 10 from unstable, which is the
only version that ships the rewriter plugin that's needed. Presumably a specific
mysql server version is needed to reproduce the issue.

It however does not break anything, as I added autopkgtests to the package.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

diff -Nru mydumper-0.10.1/debian/changelog mydumper-0.10.1/debian/changelog
--- mydumper-0.10.1/debian/changelog	2021-02-09 21:49:25.000000000 +0100
+++ mydumper-0.10.1/debian/changelog	2025-05-29 22:11:53.000000000 +0200
@@ -1,3 +1,20 @@
+mydumper (0.10.1-1+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS team.
+  * Fix CVE-2025-30224:
+    - The MySQL C client library (libmysqlclient) allows authenticated remote
+      actors to read arbitrary files from client systems via a crafted server
+      response to LOAD LOCAL INFILE query, leading to sensitive information
+      disclosure when clients connect to untrusted MySQL servers without
+      explicitly disabling the local infile capability. Mydumper had the local
+      infile option enabled by default and does not have an option to disable
+      it. This can lead to an unexpected arbitrary file read if the Mydumper
+      tool connects to an untrusted server.
+  * Add autopkgtest integration tests
+  * Add debian/gbp.conf
+
+ -- Lee Garrett <debian@rocketjump.eu>  Thu, 29 May 2025 22:11:53 +0200
+
 mydumper (0.10.1-1) unstable; urgency=medium
 
   * New upstream version 0.10.1
diff -Nru mydumper-0.10.1/debian/gbp.conf mydumper-0.10.1/debian/gbp.conf
--- mydumper-0.10.1/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/gbp.conf	2025-05-29 22:09:54.000000000 +0200
@@ -0,0 +1,10 @@
+# Configuration for git-buildpackage and affiliated tools
+
+[DEFAULT]
+debian-branch = debian/bookworm
+pristine-tar = True
+sign-tags = True
+upstream-branch = upstream/bookworm
+
+[import-orig]
+merge-mode = replace
diff -Nru mydumper-0.10.1/debian/patches/0005-CVE-2025-30224.patch mydumper-0.10.1/debian/patches/0005-CVE-2025-30224.patch
--- mydumper-0.10.1/debian/patches/0005-CVE-2025-30224.patch	1970-01-01 01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/patches/0005-CVE-2025-30224.patch	2025-05-29 22:02:21.000000000 +0200
@@ -0,0 +1,9 @@
+--- a/connection.c
++++ b/connection.c
+@@ -52,4 +52,6 @@
+   mysql_ssl_set(conn, key, cert, ca, capath, cipher);
+   mysql_options(conn, MYSQL_OPT_SSL_ENFORCE, &i);
+ #endif
++  /* unconditionally disable infile to fix CVE-2025-30224 */
++  mysql_options(conn, MYSQL_OPT_LOCAL_INFILE, NULL);
+ }
diff -Nru mydumper-0.10.1/debian/patches/series mydumper-0.10.1/debian/patches/series
--- mydumper-0.10.1/debian/patches/series	2021-02-09 21:46:48.000000000 +0100
+++ mydumper-0.10.1/debian/patches/series	2025-05-29 21:23:34.000000000 +0200
@@ -2,3 +2,4 @@
 0002-dont-install-documentation-source.patch
 0001-Link-mydumper-against-libm.patch
 0003-ssl-mariadb-connector.patch
+0005-CVE-2025-30224.patch
diff -Nru mydumper-0.10.1/debian/tests/control mydumper-0.10.1/debian/tests/control
--- mydumper-0.10.1/debian/tests/control	1970-01-01 01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/tests/control	2025-05-29 21:23:17.000000000 +0200
@@ -0,0 +1,6 @@
+Tests: integration-test.sh
+Depends: @,
+         default-mysql-server
+Restrictions:
+  isolation-machine,
+  needs-root,
diff -Nru mydumper-0.10.1/debian/tests/integration_test_debian.itd.sql mydumper-0.10.1/debian/tests/integration_test_debian.itd.sql
--- mydumper-0.10.1/debian/tests/integration_test_debian.itd.sql	1970-01-01 01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/tests/integration_test_debian.itd.sql	2025-05-29 21:23:17.000000000 +0200
@@ -0,0 +1,7 @@
+/*!40101 SET NAMES binary*/;
+/*!40014 SET FOREIGN_KEY_CHECKS=0*/;
+/*!40103 SET TIME_ZONE='+00:00' */;
+INSERT INTO `itd` VALUES
+(1,"foo"),
+(2,"bar"),
+(3,"baz");
diff -Nru mydumper-0.10.1/debian/tests/integration-test.sh mydumper-0.10.1/debian/tests/integration-test.sh
--- mydumper-0.10.1/debian/tests/integration-test.sh	1970-01-01 01:00:00.000000000 +0100
+++ mydumper-0.10.1/debian/tests/integration-test.sh	2025-05-29 21:23:17.000000000 +0200
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# This script will
+# - create a database
+# - dump this database with mydumper and compare it with the reference
+# - restore the dump to another database
+# - dump that other database with mydumper and compare it with the reference
+# - delete the database that were created.
+
+set -eu
+
+echo "pwd is $(pwd)"
+
+# check that it outputs something sensible and doesn't error out
+echo "### minimal functionality check of mydumper binary ###"
+mydumper -V | grep mydumper
+
+echo "### create a mariadb database, tables, and adding some values ###"
+mysql -e 'CREATE DATABASE IF NOT EXISTS integration_test_debian;'
+mysql -e 'CREATE DATABASE IF NOT EXISTS integration_test_debian2;'
+mysql -e 'CREATE TABLE itd (id INT AUTO_INCREMENT, words VARCHAR(50), PRIMARY KEY (id));' integration_test_debian
+mysql -e 'INSERT INTO itd (words) VALUES ("foo"), ("bar"), ("baz");' integration_test_debian
+
+echo "\n\n### Dump the database we just created ###"
+mydumper --database integration_test_debian -v 3 2>&1
+
+# find the latest dump file of the database created above
+DUMPFILE=$(ls -1t ./*/integration_test_debian.itd.sql | head -n 1)
+echo "dumpfile is located at ${DUMPFILE}."
+
+echo "\n\n### Ensure the dumped database is identical with the reference ###"
+diff -urN ./debian/tests/integration_test_debian.itd.sql "${DUMPFILE}"
+echo "./debian/tests/integration_test_debian.itd.sql and ${DUMPFILE} match."
+
+myloader --database integration_test_debian2 --directory $(ls -1td ./export-* | head -n 1)
+
+echo '\n\n### sleep for 2 seconds to make sure the export dir increments ###'
+sleep 2
+
+echo "\n\n### Dump the new database we just restored ###"
+mydumper --database integration_test_debian2 -v 3 2>&1
+
+# find the latest dump file of the database created above
+DUMPFILE=$(ls -1t ./*/integration_test_debian2.itd.sql | head -n 1)
+echo "dumpfile is located at ${DUMPFILE}."
+
+echo "\n\n### Ensure the dumped database is identical with the reference ###"
+diff -urN ./debian/tests/integration_test_debian.itd.sql "${DUMPFILE}"
+echo "./debian/tests/integration_test_debian.itd.sql and ${DUMPFILE} match."
+
+echo "\n\n### Cleaning up databases ###"
+mysql -e 'drop database integration_test_debian;'
+mysql -e 'drop database integration_test_debian2;'

--- End Message ---
--- Begin Message --- 
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as part of Debian 12.13.

--- End Message ---
Reply to: